b'\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or\n  fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nGAS                   Government Auditing Standards\nNSA                   National Security Agency\nOIG                   Office of the Inspector General\n\x0c                                                                           March 13, 2003\n\nMEMORANDUM FOR INSPECTOR GENERAL, NATIONAL SECURITY AGENCY\n\nSUBJECT: Review of the Quality Control System at the National Security Agency\n         Inspector General Office of Audits (Report No. D-2003-6-005)\n\n\n         We are providing this memorandum for your information and use. The\nGovernment Auditing Standards require that audit organizations that conduct audits in\naccordance with the standards have an appropriate internal quality control system in place\nand undergo an external quality control review every 3 years by an organization not\naffiliated with the organization being reviewed. Our review of the National Security\nAgency (NSA) Office of the Inspector General (OIG) Office of Audits was to ensure\ncompliance with Government Auditing Standards (GAS). As the organization that has\naudit policy and oversight responsibilities for audits in the DoD, we facilitated and\noversaw the conduct of this external peer review of the NSA OIG Office of Audits. To\navoid unnecessary duplication and disruption, the audit external quality control review of\nNSA was done concurrently with the management review of the NSA OIG conducted by\nthe Office of the Assistant Inspector General for Intelligence, Office of the Inspector\nGeneral of the Department of Defense.\n\nBackground. The foreign intelligence mission of the NSA is both national and defense\nin nature, and it encompasses signals intelligence, information security, and operations\nsecurity. The Office of Audits is responsible for producing quality results in terms of\nmaking constructive recommendations to significantly improve NSA operations;\nidentifying funds to be put to better use; and preventing and detecting fraud, waste, and\nmismanagement in accomplishing the NSA mission. The Inspector General, NSA is\ndelegated the authority from the Director, NSA/Chief, Central Security Service to\nconduct audits. Audits within NSA are executed by the Office of Audits under the\nmanagement and direction of the Senior Assistant Inspector General for Audits. The\nNational Security Agency/Central Security Service Office of Audits Office of the\nInspector General Audit Manual (hereafter referred to as Audit Manual), January 2002,\nprovides guidance on the operation of audits within NSA.\n\nQuality Control Review Objectives. The objectives of the review were to determine\nwhether the system of quality control for the Office of Audits in effect for the year ended\nJune 30, 2002, was designed to provide the NSA OIG with reasonable assurance of\nmaterial compliance with established policies, procedures, and government auditing\nstandards in the conduct of its audits and that the system of quality control was being\ncomplied with for the year then ended. The Office of Audits issued 11 final audit reports\nduring July 2001 through June 2002, the period reviewed. Appendix A contains a\nsummary of the quality control review process.\n\nReview Results. The system of quality control for the audit function of the NSA OIG in\neffect for the year ended June 30, 2002, has been designed in accordance with established\npolicies, procedures, and government auditing standards. The Office of Audits complied\nwith the system of quality control for the year then ended to provide reasonable assurance\nof material compliance with established policies, procedures, and government auditing\nstandards in the conduct of its audits. Our review did not disclose any material\nweaknesses in the system of quality control for the Office of Audits. The quality control\n\n                                             1\n\x0csystem had many quality policies, procedures, and practices that enhanced both audit\neffectiveness and efficiency as well as skilled, competent staff; high quality audit manual\nand policies; and well documented working papers that contained sufficient, competent,\nand relevant evidence. We did make some observations where improvements could be\nmade in complying with government auditing standards and your internal audit policies\nand procedures. These observations are not of sufficient significance to affect our overall\nconclusion as expressed in this memorandum.\n\n        Staff Qualifications. The NSA audit staff is highly experienced and collectively\npossesses adequate proficiency to accomplish the work assigned as described in the Audit\nManual. However, the Office of Audits should have a more balanced training program,\nbetter documentation of training, and a review requirement when there are disagreements\nbetween the audit team and consultants or internal specialists.\n\nWe reviewed training and educational activity documentation for the period of January 1,\n2001, through October 15, 2002, for the nine current full-time auditors on the NSA\nOffice of Audits staff. Overall, we found that all audit staff are receiving sufficient\ntraining to meet the required continuing education requirements. There has been a heavy\nemphasis on information technology course work to meet the continuing education\nrequirements including the 24 hours related to the government environment and\ngovernment auditing. Audit staff training should not be concentrated on information\ntechnology for the 24-hour continuing professional education requirement because it\ncould be interpreted as not being specific or unique to the government environment.\n\nThe Qualifications standard requires individuals responsible for planning or directing an\naudit, conducting substantial portions of the field work, or reporting on the audit under\nGAS to complete at least 24 of the 80 hours of continuing professional education training\nin subjects directly related to the government environment and to government auditing.\nIf the audited entity operates in a specific or unique environment, auditors should receive\ntraining that is related to that environment. The audit organization is responsible for\nestablishing and implementing a program for meeting the continuing education and\ntraining requirements and maintaining documentation of the education and training\ncompleted. The GAS continuing education and training requirements are implemented\nthrough the Audit Manual Section 201.3-201.8. The Qualifications standard also\nindicates that an organization may need to employ personnel or hire outside consultants\nknowledgeable in such areas as accounting, statistics, law, engineering, audit design and\nmethodology, automated data processing, public administration, economics, social\nsciences, or actuarial science.\n\nThe General Accounting Office, Government Auditing Standards, \xe2\x80\x9cInterpretation of\nContinuing Education and Training Requirements,\xe2\x80\x9d April 1991 states that the 24-hour\nrequirement calls for auditors to obtain 24 hours of continuing professional education in\nsubjects and topics directly related to the government environment and to government\nauditing or the specific or unique environment in which the audited entity operates. The\nApril 1991 Interpretation goes on to provide guidelines on subjects and topics that would\nqualify for the 24-hour requirement. In the past, General Accounting Office personnel\nwithin the Government Auditing Standards division have responded to specific questions\nrelated to information technology training as not qualifying for the 24-hour requirement.\nThe General Accounting Office personnel emphasized that the guidelines focus on course\n\n\n                                             2\n\x0ccontent such as knowledge of government accounting and auditing standards, legal and\nregulatory requirements, and knowledge of government programs and activities necessary\nfor government auditors to perform quality audits of a governmental entity.\n\nEmphasis on information technology training was caused by the emphasis on information\ntechnology systems at NSA, sponsorship of information technology courses by the NSA\nat no cost to the OIG, and the low training budget of the Office of Audits. However,\nthere are low-cost courses such as self-study courses on Performance Audits of\nGovernmental Entities and Yellow Book Government Auditing Standards that can\nprovide audit-related training to meet the 24-hour continuing professional education\nrequirements in government environment and auditing. The Office of Audits should have\na more balanced training program consisting of continuing professional education\ninvolving the government environment and government auditing.\n\nWe also noted instances where continuing professional education hours were not shown\non the certificates of completion, and certificates were not provided. In some instances,\nproof of class attendance was based on memorandum and travel documentation. The\nOffice of Audits should document hours of continuing professional education and course\ncompletion when certificates are not provided.\n\nIn addition, the Audit Manual does not contain a requirement for review by an\nappropriate level when there is a disagreement between an audit team and a consultant or\ninternal specialist.\n\n        Independence. The OIG maintains its independence and is not impeded in\naccomplishing its intended mission. Our review was performed based on the prior\nindependence standard which made the audit organization responsible for having policies\nand procedures in place to help determine if auditors have any personal impairments.\nThe NSA OIG Office of Audits met the GAS independence standard requirements prior\nto January 2003, when the new independence standard was effective. See scope\nlimitations indicated in Appendix A.\n\n        Due Professional Care. The OIG auditors used sound judgment in conducting\ntheir audits.\n\n        Quality Control. The Office of Audits did not consistently use the prescribed\nAudit Manual checklists, which are used by the auditor-in-charge, editor, and secretary to\nprocess draft and final reports. One memorandum report, which included observations\nbased on an auditor\xe2\x80\x99s review of a certified public accountant firm\xe2\x80\x99s working papers, was\nnot cross-referenced to the supporting working papers and lacked evidence of an\nindependent referencing review of the audit report to supporting working papers. We\nalso identified an instance where, contrary to the Audit Manual, the person performing\nthe referencing validation was not entirely independent because the individual had been\npart of the original audit project team. Office of Audits personnel indicated that staff\nsize, availability, and impact on schedule factor into the selection of the independent\nperson. The Office of Audits needs to ensure that persons performing referencing\nvalidation have no direct relationship with the audit. According to the Senior Assistant\nInspector General for Audits, audits that ended in the period under evaluation used\ndifferent checklists because at that time NSA was going through a period of changing\nfrom one audit manual to another.\n\n\n                                            3\n\x0c        Audit Planning. The planning process is sufficient to ensure that audits\naddressing significant issues are performed and that resources are efficiently allocated to\ncomplete those projects. An annual audit plan is prepared and issued and covers major\nprogram and support areas. The plan is reasonable and audits carried over from year to\nyear are completed in a timely manner during the course of the next fiscal year before\nnew audits are begun. The NSA OIG meets established criteria for followup by\nmaintaining complete, accurate, and reliable records of the status of audit findings and\nrecommendations. Overall, we found that the audits performed were generally well\nplanned and executed with reports being issued in a timely manner.\n\n       Supervision. In general, audit supervision at all levels was well provided to\nensure a quality report acceptable to management. Working papers of staff auditors are\nreviewed in a timely manner by the auditor-in-charge. Generally, no one reviewed the\nworking papers of the auditor-in-charge. Instead of supervisory review of auditor-in-\ncharge working papers, the Senior Assistant Inspector General for Audits holds monthly\nsupervisory meetings, and meetings are also held with the Deputy Inspector General to\nprovide an additional level of supervision to the audit working papers. The Senior\nAssistant Inspector General for Audits indicated that the structure within the Office of\nAudits lacks layers/hierarchical structure, and their structure is not conducive to\nsupervisory review of auditor-in-charge working papers. The NSA OIG Office of Audits\nhad compensating/mitigating controls in place to ensure they met the supervision\nstandard.\n\n        Evidence and Working Papers. On the whole, working papers provided\nsufficient, competent, and relevant evidence to support audit findings and conclusions.\nWe found improper classification markings either higher or lower than should be on\nsome working papers and binders.\n\n        Internal Controls. The audits met the standards for reviewing and reporting\ninternal controls. NSA OIG auditors substantively addressed internal controls during the\nperformance of the seven audits reviewed.\n\n         Illegal Acts, Other Noncompliance and Abuse. There were no indications of\nrisk of illegal acts or other noncompliance for the reports we reviewed. Auditors did not\ngenerally use legal counsel except on a case-by-case basis. We believe the Audit Manual\nshould be revised to include a mechanism to document whether or not legal review was\nneeded and obtained.\n\n         Reports on Audits. Reports were well received by management. Findings and\nconclusions were well supported and documented. Reports were clear, concise, and met\naudit objectives. One report did not include a scope paragraph or a statement that the\naudit was conducted in accordance with generally accepted Government Auditing\nStandards, as required by GAS and the Audit Manual. One audit used only statements of\ncondition for the finding paragraph. The Audit Manual Section 755.3 requires condition,\ncriteria, cause, and effect.\n\n\n\n\n                                             4\n\x0c\x0cAppendix A. Quality Control Review Process\n\nScope\n    The review team tested compliance with the NSA OIG\xe2\x80\x99s system of quality control to the\n    extent considered appropriate. These tests included a review of 7 of 11 audit reports\n    issued between July 1, 2001, and June 30, 2002. The review team reviewed working\n    papers for the selected audits, conducted interviews of professional and administrative\n    staff members, and performed tests of documentation.\n\n    Scope Limitations. The review was for the purpose of determining whether the NSA\n    OIG internal quality control system was designed to provide reasonable assurance of\n    material compliance with established policies, procedures, and government auditing\n    standards in the conduct of its audits and was being complied with for the year reviewed.\n    We conducted our review in conformance with standards and guidelines established by\n    the President\xe2\x80\x99s Council on Integrity and Efficiency. The review would not necessarily\n    disclose all weaknesses in the system of quality control or all instances of lack of\n    compliance with it because our review was based on selective tests. Because there are\n    inherent limitations in the effectiveness of any system of quality control, departures from\n    the system may occur and not be detected.\n\n    Projection of any evaluation of a system of quality control to future periods is subject to\n    the risk that the system of quality control may become inadequate because of changes in\n    conditions or because the degree of compliance with the policies or procedures may\n    deteriorate. GAS Amendment No. 3, Independence, January 25, 2002, requires that the\n    audit organization should have an internal quality control system to help determine if\n    auditors have any personal impairment to independence that could affect their\n    impartiality or the appearance of impartiality. Our review period ended June 30, 2002;\n    However, GAS Answers to Independence Standard Questions, July 2002, indicates that\n    the independence standard\xe2\x80\x99s provisions are applicable to all audits for periods beginning\n    on or after January 1, 2003.\n\n\nMethodology\n    From October 2002 through February 2003, the external review team conducted a quality\n    control review of the audit function for the Office of Audits in effect for the period\n    July 1, 2001, through June 30, 2002. The team used the guidelines and checklists\n    established by the President\xe2\x80\x99s Council on Integrity and Efficiency as amended February\n    2002 to ensure that the review was in conformance with GAS. The team used the\n    President\xe2\x80\x99s Council on Integrity and Efficiency checklist items to review:\n\n        \xe2\x80\xa2   Staff Qualifications;\n        \xe2\x80\xa2   Independence;\n        \xe2\x80\xa2   Due Professional Care;\n        \xe2\x80\xa2   Quality Control;\n\n                                             6\n\x0c       \xe2\x80\xa2   Audit Planning;\n       \xe2\x80\xa2   Supervision;\n       \xe2\x80\xa2   Evidence and Working Papers;\n       \xe2\x80\xa2   Internal Controls;\n       \xe2\x80\xa2   Illegal Acts, Other Noncompliance and Abuse; and,\n       \xe2\x80\xa2   Reports on Audits.\n\n    The review team adjusted the President\xe2\x80\x99s Council on Integrity and Efficiency guidelines\n    and checklists as appropriate to reflect the Office of Audits. The review team considered\n    several factors in applying the President\xe2\x80\x99s Council on Integrity and Efficiency guidelines,\n    such as the size of the Office of Audits, the degree of operating autonomy allowed, and\n    the nature of work. In conducting the review, the review team reviewed 7 of 11 audit\n    reports issued in the period reviewed and associated working papers for the reports.\n\nNSA Audit Policies and Procedures\n    National Security Agency/Central Security Service Office of the Inspector General,\n    Office of Audits, Audit Manual, January 2002, provides guidance on the operation of\n    audits within NSA. Government Auditing Standards published by the U.S. Comptroller\n    General are the criteria guiding auditors in their work to ensure quality and reliable audit\n    results. Government Auditing Standards require that the internal quality control system\n    established by the audit organization should provide reasonable assurance that it has\n    adopted, and is following, applicable auditing standards and has established, and is\n    following, adequate audit policies and procedures. The Department of Defense (DoD)\n    Internal Audit Manual implements the Comptroller General\xe2\x80\x99s auditing standards in DoD.\n\n    To implement an internal quality control system, the Audit Manual specifically adopts\n    and expands on the Comptroller General\xe2\x80\x99s auditing standards, consistent with NSA\n    authorities for use by its auditors.\n\nDoD Intelligence Agency Audit External Review Process\n    The review was done in accordance with the process established to facilitate the external\n    reviews of the DoD intelligence agencies. As a part of this process, we established a\n    review team of experienced senior auditors from the DoD intelligence organizations\n    except for the organization under review. The OIG, DoD provided training and oversight\n    for the review.\n\n\n\n\n                                             7\n\x0cAppendix B. Report Distribution\n\n\nOther Defense Organizations\n Director, National Security Agency\n    Inspector General, National Security Agency\n\nCongressional Committees and Subcommittees, Chair and Ranking\n  Minority Member\n Senate Committee on Appropriations\n Senate Subcommittee on Defense, Committee on Appropriations\n Senate Committee on Armed Services\n Senate Committee on Governmental Affairs\n House Committee on Appropriations\n House Subcommittee on Defense, Committee on Appropriations\n House Committee on Armed Services\n House Committee on Government Reform\n House Subcommittee on Government Efficiency, Financial Management, and\n   Intergovernmental Relations, Committee on Government Reform\n House Subcommittee on National Security, Veterans Affairs, and International Relations,\n   Committee on Government Reform\n\n\n\n\n                                            8\n\x0cTeam Members\nThe Deputy Assistant Inspector General for Audit Policy and Oversight, Office of the\nAssistant Inspector General for Inspections and Policy of the Department of Defense\nprepared this report. Personnel of the Office of the Inspector General of the Department\nof Defense and other organizations who contributed to the report are listed below.\n\nCarolyn R. Davis\nCraig D. Campbell\nKenneth Feldman\nCharles Grauze\nKrista S. Gordon\n\x0c'